# ldapdock *_a configurable container running openLDAP_* Step by step approach on how to setup and run an openLDAP server on a systemd-less docker image container ## _1- Creating the ldapdock image container_ build ldapdock from the dockerfile and run into it ``` > docker build -t ldapdock /path/to/dockerfile ``` ``` > docker run -h example.com -i -p 389:389 -t ldapdock ``` ## _2- Run the openLDAP server and populate a directory_ Use the following command to start openLDAP ``` root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d ``` Create some groups and users to populate a directory ``` root@example:/# cat > add_content.ldif << EOF dn: ou=People,dc=example,dc=com objectClass: organizationalUnit ou: People dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit ou: Groups dn: cn=mages,ou=Groups,dc=example,dc=com objectClass: posixGroup cn: mages gidNumber: 5000 memberUid: marisa dn: uid=marisa,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: marisa sn: Kirisame givenName: Marisa cn: Marisa Kirisame displayName: Marisa Kirisame uidNumber: 10000 gidNumber: 5000 userPassword: {CRYPT}x gecos: Marisa Kirisame loginShell: /bin/bash homeDirectory: /home/marisa EOF ``` ``` root@example:/etc/ldap/slapd.d# ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif ``` When creating the groups and users, we will be asked:\ 1-the password for the user marisa (qwerty), 2-reenter the password for marisa, 3-the openLDAP root password (admin) ## _3- Load and enable policy modules_ We need to make use of new schemas and **policies**, which in large part exists in /usr/lib/ppolicy.so -since the module exists, we are going to create modify_ppolicy_module.ldif to be able to make use of it: ``` root@example:/# cat > modify_ppolicy_module.ldif << EOF dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: ppolicy.so EOF ``` ``` root@example:/# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f modify_ppolicy_module.ldif modifying entry "cn=module{0},cn=config" ``` Reset slapd (openLDAP server) ``` root@example:/# kill $(pidof slapd) root@example:/# slapd -h "ldap:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d ``` Now that we restarted our openLDAP server, we can load the new module, so we create the following .ldif file: ``` root@example:/# cat > enable_ppolicy.ldif << EOF dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: ppolicy olcPPolicyDefault: cn=default,ou=policies,dc=example,dc=com EOF ``` ``` root@example:/# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f enable_ppolicy.ldif adding new entry "olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config" ``` The policies module has been loaded and we can begin to configure password schemas and ACLs. ## _4- Configure default password policies_ Create a basic overlay of your password policies: ``` root@example:/# cat > passwd_ppolicy_overlay.ldif << EOF dn: cn=default,ou=policies,dc=example,dc=com objectClass: pwdPolicy objectClass: organizationalRole cn: default pwdAttribute: userPassword pwdMinLength: 8 pwdCheckQuality: 2 EOF ``` ``` root@example:/# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f passwd_ppolicy_overlay.ldif adding new entry "cn=default,ou=policies,dc=example,dc=com" ``` You can change password policies like pwdMinLength, pwdMaxFailure, pwdMaxAge, etc. and all organizationalUnits (and therefore, their users) will be affected by default using this *default ppolicy overlay*. Refer to https://git.ozymandias.work/okasion/ldapdock/src/branch/main/README.md#ins_password-policy-default-modules-options_ins for a list of all password policies available by default. ### _Enforcing password policies example_ In order to enforce our password configuration we need something to control. This is a short example. Create an organizationalUnit: ``` root@example:/# cat > create_ou.ldif << EOF dn: ou=Supergirls,dc=example,dc=com objectClass: organizationalUnit ou: Supergirls EOF ``` ``` root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_ou.ldif adding new entry "ou=Supergirls,dc=example,dc=com" ``` Create a password hash for the new user marisa ``` root@example:/# slappasswd -s qwerty {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V ``` Create the new user marisa that will belong to organizationalUnit Supergirls (pay attention to copy the hashed password before EOF) ``` root@example:/# cat > create_user.ldif << EOF dn: uid=marisa,ou=Supergirls,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount cn: Marisa sn: Kirisame givenName: Marisa displayName: Marisa Kirisame uid: marisa uidNumber: 1001 gidNumber: 5000 homeDirectory: /home/marisa loginShell: /bin/bash userPassword: {SSHA}fgEXXr2J08jTVfgyOnkRL2I1JNL4Bp5V mail: marisa@example.com EOF ``` ``` root@example:/etc/ldap/slapd.d# ldapadd -x -D "cn=admin,dc=example,dc=com" -w Op3nLd4p! -H ldapi:/// -f create_user.ldif adding new entry "uid=marisa,ou=Supergirls,dc=example,dc=com" ``` User marisa and all that are added to Supergirls will respect the password default policies, you can check it out, example: ``` root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s marisakirisame Result: Constraint violation (19) Additional info: Password fails quality checking policy ``` Password "marisakirisame" is accepted because we established before pwdMinLength was 8. ``` root@example:/# ldappasswd -x -w qwerty -H ldapi:/// -D "uid=marisa,ou=Supergirls,dc=example,dc=com" -s kirisame ``` "kirisame" is rejected because it's only 8 length characters.